Opened 3 years ago

Closed 23 months ago

#27863 closed New feature (fixed)

Implement "SameSite" flag for session and CSRF cookies

Reported by: Alex Gaynor Owned by: Paweł Krawczyk
Component: HTTP handling Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no


SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (, but at 50% global deployment, it'd be very useful for Defense in Depth.

I believe simply adding SameSite=lax to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).

Change History (7)

comment:1 Changed 3 years ago by Alex Gaynor

Note: this requires a change to the stdlib cookies module: I suspect with some hackery this can be worked around in Django though.

comment:2 Changed 3 years ago by Paweł Krawczyk

Owner: changed from nobody to Paweł Krawczyk
Status: newassigned

This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.

comment:3 Changed 3 years ago by Paweł Krawczyk

Has patch: set

comment:4 Changed 3 years ago by Paweł Krawczyk

Version: 1.10master

comment:5 Changed 3 years ago by Simon Charette

Component: contrib.sessionsHTTP handling
Needs documentation: set
Needs tests: set
Patch needs improvement: set
Summary: Implement "SameSite" flag for session cookiesImplement "SameSite" flag for session and CSRF cookies

comment:6 Changed 23 months ago by Tim Graham

Needs documentation: unset
Needs tests: unset

New PR (still needs some work)

comment:7 Changed 23 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 9a56b4b1:

Fixed #27863 -- Added support for the SameSite cookie flag.

Thanks Alex Gaynor for contributing to the patch.

Note: See TracTickets for help on using tickets.
Back to Top